pam_yubico - Module for YubiKey authentication
The module is for authentication of YubiKeys, either with online validation of
OTP, or offline validation with HMAC-SHA1 challenge-response.
Turns on debugging to STDOUT
Set the mode of operation, client for OTP
validation and challenge-response for challenge-response validation, client is
Set the location of the file that holds the
mappings of Yubikey token IDs to user names. The format is
username:first_public_id:second_public_id:... default location of the file is
Set to your client identity.
Set to your client key in base64 format. The
client key is also known as API key, and provides integrity in the
communication between the client (you) and the validation server. If you want
to get one for use with the default YubiCloud service, please go to
Set to enable all authentication attempts to
succeed (aka presentation mode).
Before prompting the user for their password,
the module first tries the previous stacked module´s password in case
that satisfies this module as well.
The argument use_first_pass forces the module
to use a previous stacked modules password and will never prompt the user - if
no password is available or the password is not appropriate, the user will be
List of URL templates to be used. This is set
by calling ykclient_set_url_bases. The list should be in the format:
This option should not be used, please use the
urllist option instead. Set the URL template to use, this is set by calling
ykclient_set_url_template. The URL should be set in the format
Specify the path where X509 certificates are
stored. This is required if https or ldaps are used in
url and ldap_uri respectively.
Specify a proxy to connect to the validation
server. Valid schemes are socks4://, socks4a://, socks5:// or socks5h://.
Socks5h asks the proxy to do the dns resolving. If no scheme or port is
specified HTTP proxy port 1080 will be used. E.g.
This argument is used to show the OTP (One
Time Password) when it is entered, i.e. to enable terminal echo of entered
characters. You are advised to not use this, if you are using two factor
authentication because that will display your password on the screen. This
requires the service using the PAM module to display custom fields. This
option can not be used with OpenSSH.
Specify the LDAP server URI (e.g.
Specify the LDAP server host (default LDAP
port is used). Deprecated. Use ldap_uri
The dn where the users are stored (eg:
ou=users,dc=domain,dc=com). If ldap_filter is used this is the base
from which the subtree search will be performed.
The LDAP attribute used to store user names
The LDAP attribute used to store the Yubikey
The prefix of the LDAP attribute’s
value, in case of a generic attribute, used to store several types of
Length of ID prefixing the OTP (this is 12 if
using the YubiCloud).
The user to attempt a LDAP bind as.
The password to use on LDAP bind.
An ldap filter to use for attempting to find
the correct object in LDAP. In this string %u will be replaced with the
Ca certfile for the LDAP connection.
Path of a system wide directory where
challenge response files can be found for users. Default location is
auth sufficient pam_yubico.so id=16 debug
auth required pam_yubico.so mode=challenge-response
auth required pam_yubico.so id=16 ldap_uri=ldaps://ldap.example.com ldap_filter=(uid=%u) yubi_attr=yubiKeyId
If authfile is not set this file is
used for the mapping between YubiKey public id and in client
If chalresp_path is not set these files
are used to hold next challenge and expected response for the user in
challenge-response mode. If chalresp_path is set the filename
will be username instead of challenge.
Report yubico-pam bugs in the issue tracker:
The yubico-pam home page: https://developers.yubico.com/yubico-pam/
YubiKeys can be obtained from Yubico: http://www.yubico.com/